My Splunk alert unable to trigger any executable file.
For instance, I have placed reader.bat file in Splunk scripts directory and triggered from splunk alert.
I got this error in splunkd logs.
09-13-2016 22:15:04.968 -0500 ERROR script - sid:scheduler__admin_VUNfTU9E__RMD5707bf18d75962871_at_1473822900_176 command="runshellscript", Error while executing script [Error 193] %1 is not a valid Win32 application
This is weird error for me because I get this error every time even for empty entry in .bat file.
.bat file example
echo The name of this file is: %~nx0
Moreover, I tried triggering .ps1 but still get same error.
I am using splunk enterprise on windows 7
The Problem was solved unexpectedly, after struggling for more than 30hrs with a simple trick.
SOLUTION
1. Delete the Splunk x64 bit (basically your current running Splunk).
2. Make sure to check the left over directories or files under installation directory (In my case: C:\Program Files\).
3. Reboot your machine.
4. ReInstall the Splunk x64 bit version in C:\ drive (not under C:\Program Files)
5. Current installation Directory is C:\Splunk.
6. This technique working now on all other PC's as well.
I have tried so many methods and techniques before finding this solution, but none of the troubleshooting methods or forum answers helped me in this particular case. Things I did are listed below.
NOT WORKED
- By setting java and Python environment variables.
- I reinstalled and installed in the same path (C:\Program Files\Splunk).
- Updating Splunk
- Reloading Config files
- Replacing Python lib files with older version Python lib files.
- Thought Its my PC problem, so installed Splunk on 2 more friends laptops.
- Replacing Python lib files with latest Python 3.* files.
- Setting 'savedsearch.conf' in-app level and tried to trigger the .bat file using conf file.
- Modifying some Windows Registry keys
- By checking 'Program' file under C:\ drive which may cause the error (mentioned in some blogs).
- Updating Windows and security patches.
- Creating an empty file ftr (no idea why? but suggested by @inventsekar )
- checking the Win32 error may come due to the spaces in the paths and registry keys (Microsoft blog suggestions).
- Reporting this issue to Splunk base.
- And lot more useless tweaks.
I have installed/reinstalled almost more than 10times in this process.
And I don't understand why it was not worked before when I installed under Program Files. Now Splunk re-installed in my friend's laptops and it triggering .bat files as expected. It's totally Weird Looking for findings for this problem.
The Problem was solved unexpectedly, after struggling for more than 30hrs with a simple trick.
SOLUTION
1. Delete the Splunk x64 bit (basically your current running Splunk).
2. Make sure to check the left over directories or files under installation directory (In my case: C:\Program Files\).
3. Reboot your machine.
4. ReInstall the Splunk x64 bit version in C:\ drive (not under C:\Program Files)
5. Current installation Directory is C:\Splunk.
6. This technique working now on all other PC's as well.
I have tried so many methods and techniques before finding this solution, but none of the troubleshooting methods or forum answers helped me in this particular case. Things I did are listed below.
NOT WORKED
- By setting java and Python environment variables.
- I reinstalled and installed in the same path (C:\Program Files\Splunk).
- Updating Splunk
- Reloading Config files
- Replacing Python lib files with older version Python lib files.
- Thought Its my PC problem, so installed Splunk on 2 more friends laptops.
- Replacing Python lib files with latest Python 3.* files.
- Setting 'savedsearch.conf' in-app level and tried to trigger the .bat file using conf file.
- Modifying some Windows Registry keys
- By checking 'Program' file under C:\ drive which may cause the error (mentioned in some blogs).
- Updating Windows and security patches.
- Creating an empty file ftr (no idea why? but suggested by @inventsekar )
- checking the Win32 error may come due to the spaces in the paths and registry keys (Microsoft blog suggestions).
- Reporting this issue to Splunk base.
- And lot more useless tweaks.
I have installed/reinstalled almost more than 10times in this process.
And I don't understand why it was not worked before when I installed under Program Files. Now Splunk re-installed in my friend's laptops and it triggering .bat files as expected. It's totally Weird Looking for findings for this problem.
Hi @ibob0304 - I'm glad the fruits of your labor paid off and that you were able to troubleshoot and answer your own question. Please don't forget to resolve the post by clicking "Accept" below your answer (and so you can give yourself karma points :D). Thanks!
If you haven't shared the alert it'll live in etc/users/yourusername/someapp/local
.
it didn't work anyway. Same error everytime.
https://answers.splunk.com/answers/36763/splunkweb-starts-then-ends-and-the-service-is-stopped.html
This situation seems to happen when there was a previous Splunk instance running under C:\ and then an uncomplete uninstall was not performed ( not sure if because of the uninstall program or what ) and in the registry there are still reference of the old Splunk Instance.
In particular after performing an uninstall there was this suspicious entry still there:
HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonService
You can try:
1) Stop Splunk
2) Make a backup of buckets and configuration files
3) Uninstall Splunk
4) Search the registry with every entry with Splunk and/or Python on it and clean them
5) Perform a full installation
6) restore the configuration files & buckets
7) create an empty file called ftr under %SPLUNK_HOME%
8) Restart Splunk
Alternatively you can try to remove only the python key above and perform another upgrade on top of your %SPLUNK_HOME
OR -
Tried removing the patches, but no good. I fixed it by:
Installing all Windows patches
Shutting down Splunk services
Backing up \var and \etc directories.
Uninstalling Splunk
Deleting any leftover directories
Reinstalling Splunk
Shut down Splunk services
Renaming \var and \etc directories
Copying the backed-up \var and \etc directories back into the Splunk directory
Restarting Splunk services.
All good now!
I have tried the both methods, It doesn't work. Even my second windows system also facing the same error. Something Splunk Community has to look into this issue. I updated today morning to the latest Splunk and still it exists. It is not at all triggering any kind of external script . I even tried to trigger .path file and still get the same error. WIN32 error is kind of weird problem and no proper solution in blogs as well.
What does your alert.script setting in savedsearches.conf look like?